Is it better to use Bitlocker or the built-in-drive-encryption that my SSD offers?
My system:
- Intel Core i7-4790, which supports AES-NI
- ASUS Z97-PRO mobo
- Samsung 250GB EVO SSD (with built-in encryption option)
- 64-bit Windows 7
If I just want to encrypt my boot drive with AES256 or similar, what would be the difference / faster performance / more secure? Flip Windows Bitlocker on and not use the SSD encryption, or enable the built-in drive encryption that the SSD offers, and don't worry about Bitlocker?
I'm thinking it might be better to offload the encryption to the SSD by using the Evo's encryption option, so that the processor doesn't have to do any encryption, this might be better for I/O performance and give the CPU a breather? Or since this CPU has AES-NI it might not matter?
I'm new to Bitlocker and this SSD encryption option, so any help is much appreciated.
Old question, but since then several new developments have been found concerning Bitlocker and drive encryption (used either alone or in combination), so I will turn couple of my comments on the page to an answer. Maybe it is of use to someone doing a search in 2018 and later.
Bitlocker (alone):
There have been several ways to breach Bitlocker in it's history, luckily most of them have already been patched / mitigated in 2018. What remains (known) include, for example, the "Cold Boot Attack" - the newest version of which really isn't Bitlocker specific (you need physical access to a running computer and steal the encryption keys, and anything else, straight from the memory).
SSD drive hardware encryption and Bitlocker:
A new vulnerability has surfaced in 2018; if a SSD disk has hardware encryption, which most SSDs have, Bitlocker defaults to using only that. Which means that if that encryption itself has been cracked, the user essentially has no protection at all.
Drives that are known to be suffering from this vulnerability include (but are probably not limited to):
Crucial MX100, MX200, MX300 series
Samgung 840 EVO, 850 EVO, T3, T5
More information about the SSD encryption problem here:
https://twitter.com/matthew_d_green/status/1059435094421712896
And the actual paper (as PDF) delving deeper into the problem here:
t.co/UGTsvnFv9Y?amp=1
So the answer really is; since Bitlocker uses the disks hardware encryption, and has it's own vulnerabilities on top of that , you're better off using the hardware encryption if your SSD is not on the list of cracked SSDs.
If your disk is on the list, you're better off using something else entirely since Bitlocker would use the drive encryption anyway. What is the question; on Linux I would recommend LUKS, for example.
I'v been doing some research on this and have a half complete answer for you.
It is always better to use hardware based encryption on a self encrypting drive, if you use the software based encryption on bitlocker or another encryption program it will cause anywhere between a 25% and 45% slowdown in read write speeds. you could see a minimum of a 10% drop in performance. (note you must have an SSD with a TMP chip)
Bitlocker is compatible with hardware based encryption, you can use samsung magic. v 4.9.6 (v5 no longer supports this) to wipe the drive and enable the hardware based encryption.
http://www.ckode.dk/desktop-machines/how-to-enable-windows-edrive-encryption-for-ssds/
you can enable hardware based encryption via the BIOS by setting the master password. You will need to follow some of the steps in the article above, like turning off CMS.
To answer your question I don't really know which is faster. I have reached out to Samsung but given the limited info on this. Unless I get a developer I doubt I will get a good answer to which is the better option. For now I plan to enable the hardware based encryption in my bios.